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About this Deployment Guide 
About Qualys 


About this Deployment Guide 


This deployment guide contains the information for deploying, interacting, and 
configuring Centralized Appliance Management Service (CAMS) QGS Appliance on AWS 
Cloud. Also, it outlines the details on launching the QGS instances using AWS Command 
Line Interface (CLI). 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions will be answered in the fastest time possible. We support you 7 days a week, 
24 hours a day. Access online support information at www.qualys.com/support/. 


Overview 
Pre-requisites 


Overview 


Qualys Gateway Service (QGS) is a packaged virtual appliance developed by Qualys that 
provides proxy services for Qualys Cloud Agent deployments requiring proxy connectivity 
to connect with the Qualys Cloud Platform. 


This document outlines the steps required to set up a Centralized Appliance Management 
Service (CAMS) Qualys Gateway Service (QGS) appliance on the AWS cloud. 


Pre-requisites 
- To set up the CAMS QGS appliance on AWS Cloud, you need an AWS account. 


- You must have CLI installed on your machine to use AWS CLI to launch and execute the 
command. 


- To get the QGS AMI, submit a service request to Qualys support with your AWS account 
ID and AWS Region. Qualys support will share the QGS AMI in your AWS account. 


How to Deploy and Configure CAMS QGS Appliance on AWS 
Cloud 


Follow these steps to deploy and configure a CAMS QGS appliance on the AWS Cloud 
1. Log in to your AWS account. 


2. Go to Launch a virtual machine with EC2. 
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3. On the EC2 experience page, go to Images > AMIs (Amazon Machine Images). 


© New EC2 Experience 


Launch i i v 
tauk x EC2 Image Builder Actions 
EC2 Dashboard New Owned byme v Q Filter by tags and attributes or search by keyword 
Events 
@ Name ~ AMIName + AMIID 
Tags 
-. > <a 
Limits 
V Instances 


Instances New 

Instance Types 

Launch Templates 

Spot Requests 

Savings Plans 

Reserved Instances New 
Dedicated Hosts 
Scheduled Instances 


Capacity Reservations 


YV Images 


4. Select the QGS AMI and click Launch Instances to launch an EC2 instance. 


j 
Orerecenmeee y | tas) w 
Q Fitter inst (1) @ 
EC2 Dashboard 
£C2 Global View Name ¥ Instance 1D Instance state 9 — Instancetype Y Status check AyZone Y Public IPv4 DNS V PubliciPv4.. 9 — Elastic IP) 
Events bastion O Running QQ timeo Q 2/2 checks passed 1 - - 
Tags Squld Proxy RC Q Running QA  t3medum Q2rlachecks passed J = z 
Limits Tigran-splunk © Stopped QQ  t3medium - Pi = - - 
vias hsengine © Stopped QQ  t3medium - l - - - 
iiag SB P15 Test #1 © stopped QQ  t3large - i - - - 
instance Types SB P15 Test #2 © stoped QA  t3xlarge - j - - - 
ak reins RC Tsung Per... © stopped QQ  t3.2xlarge - ) - - - 
Spot Requests O stopped QQ  t3alarge x i $ 5 a 
Savings Plans SHB P15 Test © stopped QQ — t3large - ) - - - 
Reserved Instances New test registration © stopped QQ  t3xlarge - J - - - 
Dedicated Hosts z o z = 
Scheduled Instances Select an instance above X 
Capacity Reservations 
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5. Select the qualys-qgs-1.1.0-65 AMI image. 


Note: You need not deploy a new instance if you already have one with an old AMI image 
that can be auto-upgraded. 


- An AMI is a template that contains the software configuration required to launch your 
instance. You can select an AMI provided by AWS Marketplace, Community or your 
available AMIs. 


1. Choose AMI 2. Choose Instance Type 3. Configure instance 4. Add Storage 5. Add Tags 6. Configure Security Group 7. Review 


Step 1: Choose an Amazon Machine Image (AMI) Cancel ae Ext 


An AMI is a template that contains the software configuration (operating system, application server, and applications) required to launch your instance. Select one of your own AMIS. 


Q Search for an AMI by entering a search term e Windows x 
Search by Systems Manager parameter 


Quick Start 1 AMIs 


| mms 4 qualys-qgs-1.1.0-65 - ami-046alafb413842c91 


AWS Marketplace Root device type: ebs Virtualization type: hvm Owner: 392769262557 ENA Enabled: Yes ae 64-bit (x86) 


Community AMIs 


Y Ownership 


E Owned by me 
O Shared with me 


¥ Architecture 


(32-bit (x86) 
(64-bit (x86) 
(64-bit (Arm) 
(64-bit (Mac) 


6. Select a t3.large size of the instance and click Next: Configure Instance Details. 


1. Choose AMI 2 Choose instance Type 3. Configure instance 4. Add Storage 5. Add'Tags 6 Configure Securty Group 7. Review 
Step 2: Choose an Instance Type 
Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. Instances are virtual servers that can run applications. They have varying combinations of CPU, memory, storage, and networking capacity, and give you the flexibility to choose the appropriate mix of 
resources for your applications. Learn more about instance types and how they can meet your computing needs. 
Filter by: All instance families ~ Current generation ~ Show/Hide Columns 
Currently selected: t3.large (- ECUS, 2 vCPUs, 2.5 GHz, -, 8 GiB memory, EBS only) 
Family - Type - vepus (i = Memory (GiB) - Instance Storage (GB) (i - EBS-Optimized Available (i - Network Performance (i) = Pv Support (i) ~ 
2 t2.nano 1 o5 EBS only - Low to Moderate Yes 
2 mero 1 1 EBS only Low to Moderate Yes 
2 12.small 1 2 EBS only - Low to Moderate Yes 
2 t2.medium 2 4 EBS only - Low to Moderate Yes 
2 large 2 8 EBS only - Low to Moderate Yes 
2 (2.xlarge 4 16 EBS only - Moderate Yes 
2 12.2xlarge 8 32 EBS only : Moderate Yes 
B t3.nano 2 0.5 EBS only Yes Up to 5 Gigabit Yes 
B 18.micro 2 1 EBS only Yes Up to 5 Gigabit Yes 
B 13.small 2 2 EBS only Yes Up to 5 Gigabit Yes 
B t3.medium 2 4 EBS only Yes Up to 5 Gigabit Yes 
a B ‘Barge 2 8 EBS only Yes Up to 5 Gigabit Yes 
B 13.xlarge 4 16 EBS only Yes Up to 5 Gigabit Yes 
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7. If you want to assign a public IP to the QGS appliances, then configure the instance 
details with the appropriate network and set the Auto-assign Public IP field to Enable. 


- If you want to assign a private IP to the QGS appliances, then do not enable the Auto- 
assign Public IP option. 


LChooseAMI 2 Choose Instance Type 3. Configure instance 4. Add Storage 5. AddTags 6 Configure SecurityGroup 7. Review 


Step 3: Configure Instance Details 
[Configure the instance to requirements. You can launch multiple instances fr 


© create new directory 
$) © create new IAM role 


Next: Add Storage 


8. On the same Instance Detail Configuration screen, scroll down to the User data section 
and add the following user data and click Next: Add Storage. 


#cloud-config 
write files: 
- owner: root:root 
path: /opt/qualys/cloud.env 
permissions: '0644' 
content: | 
POD SUFFIX="Add your corresponding POD suffix here” 


To know the POD suffixes for corresponding PODs, see the Cloud Agent Servers section of 
the Qualys Platform Identification web-page. 


You can use the Qualys platform URLs from the Qualys Platform Identification web page. 
For example, for platform US2, you can use the platform URL qg2.apps.qualys.com to 
add your corresponding POD suffix. Similarly, for platform IN1, you can use the platform 
URL qg1.apps.qualys.in 
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~ Network interfaces @ 


Device Network interface ‘Subnet Primary 1P ‘Secondary IP addresses IPv6 IPs IPvs Prefixes IPv6 Prefixes 
etho ‘Add 1P The selected subnet does not support Pv (None x The selected subnet does not support IPv6 

because it does not have an IPv6 CIDR. because it does not have an IPv6 CIDR. 
Add Device 


v Advanced Details 


Enclave Ò  OEnable 

Metadata accessible (j) [Enabled J 

Metadata version (j) [VI and V2 (token optional) $ 

Metadata token response hop limit (T i $ 
i 


User data @Astext OAs file C input is already base64 encoded 


l 
FOD_SUFFIX-"Add your corresponding POD suffix here” 


9. On the Add Storage page, you can attach additional EBS volumes and instance store 
volumes to your instance. 


Note: If you want to use your appliance for Patch caching purposes, then you need to add 
another storage volume of at least 256 GB. 


After adding the volumes to your instance, click Next: Add Tags. 


1.Choose AM 2. Choose Instance Type 3. Configure Instance 4. Add Storage 5 AddTags 6 Configure SecuñyGroup 7. Review 


|Step 4: Add Storage 


Your instance will be launched with the following storage device settings. You can attach additional EBS volumes and instance store volumes to your instance, or 


edit the settings of the root volume. You can also attach additional EBS volumes after launching an instance, but not instance store volumes. Leam more about 
storage options in Amazon EC2. 


Throughput 


Volume Type (i Device i Snapshot (i Size (GiB) (i Volume Type i os © panis) cI Delete on Termination (i Encryption (i 

Root 25 General Purpose SSD (gp2) W) 100/3000 NIA u X 

(EBs ~) [sy] 256 General Purpose SSD (gp2) W) 768/3000 NA B +| o 
~ 

Add New Volume 


Free tier eligible customers can get up to 30 GB of EBS General Purpose (SSD) or Magnetic storage. Learn more about free usage tier eligibility and 
usage restrictions 


10. On the Add Tags page, you can add Owner and Name tags details then click Next: 
Configure Security Groups. 


L.Choose AMI 2 Choose Instance Type 3.Configure Instance 4. Add Storage S.Add Tags & Configure Secwiy Group 7. Review 


Step 5: Add Tags 

A tag consists of a case-sensitive key-value pair. For example, you could define a tag with key = Name and value = Webserver 
A copy of a tag can be applied to volumes, instances or both. 

Tags will be applied to all instances and volumes. Leam more about tagging your Amazon EC2 resources 


Cancel 


s maximu 56 characte pirmus lumes Ne 
Key (128 characters ma: Ls Value (25) a Instances Ò vol i ah iT 
[ame ] a a a o 


Add another tag 


Cancel Previous [iu 


Tei | Next: Configure Security Group 


11. On the Configure Security Group page, you can select an appropriate Security Group 
and click Review and Launch. 
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Note: A security group is a set of firewall rules that control the traffic for your instance. 
You can add rules to allow specific traffic to reach your instance. 


LChooseAMI 2. Choose Instance Type 2 Configure Instance £ Add Storage S Add Tags 6. Configure Security Group 7. Review 


Step 6: Configure Security Group 
A security group is a set of firewall rules that control the traffic for your instance. On this page, you can add rules to allow specific traffic to reach your instance. For example, if you want to set up a web server and allow Internet traffic to reach your instance, add rules that allow unrestricted 
access to the HTTP and HTTPS ports. You can create a new security group or select from an existing one below. Learn more about Amazon EC2 security groups. 


Assign a security group: © Create a new security group 
© Select an existing security group 


Inbound rules for sg-04b117b44d79aaa69 (Selected security groups: sg-004bb8S8a5be171c5, s9-051253560329644a5, sg-04b1f7b44d79aaa69) 


Type © Protocol (i) Port Range (i) 


4 


12. Verify that all the settings are matching with the selected values and click Launch. 


Choose AMI 2 Choose Instance Type 3. Configure instance 4. Add Storage S. Add Tags «6 Configure Securty Group 7- Review 


Step 7: Review Instance Launch 
Please review your instance launch details. You can go back to edit changes for each section, Click Launch to assign a key pair to your instance and complete the launch process. 


A Your instance configuration is not eligible for the free usage tler 
To launch an instance that's eligible for the free usage tier, check your AMI selection, instance type, configuration options, or storage devices. Leam more about free usage tier eligibility and usage restrictions. 


A Improve your instances’ security. 
Your instances may be accessible from any IP address. We recommend that you update your security group rules to allow access from known IP addresses only. 
You can also open additional ports in your security group to facilitate access to the application or service you're running, e.g., HTTP (80) for web servers. Edit security groups 


v AMI Details 


qualys-qgs-1.1.0-65 - ami-046a1afb413842c91 
Dect cnvce pees Vettstn yp: 


v Instance Type Edit instance type 
Instance Type 


13.arge 


~ Security Groups Edit security groups 


cont ommon [EI] 


13. Choose to ‘Proceed without a key pair’ from the dropdown and acknowledge the 
check-box and click Launch Instances. 


Select an existing key pair or create a new key pair x 


‘A key pair consists of a public key that AWS stores, and a private key file that you store. Together, they 


allow you to connect to your instance securely. For Windows AMis, the private key file is required to 
obtain the password used to log into your instance. For Linux AMIs, the private key file allows you to 
securely SSH into your instance. Amazon EC2 supports ED25519 and RSA key pair types. 


Note: The selected key pair will be added to the set of Keys authorized for this instance. Leam more 
about removing existing key pairs from a public AMI. 
[Proceed without a key pair x) 
acknowledge that without a key pair, I can connect to this instance only by using EC2 
Instance Connect or if | know the password built into the AMI. Note that EC2 Instance Connect is 


‘only supported on Amazon Linux 2 and Ubuntu, Leam more. 
=) 
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The following is the sample screenshot that shows the instance launch status. 


Launch Status 


© Your instances are now launching 
The following instance launches have been initiated: -Ofdeb93952/26895e View launch log 


© Get notified of estimated charges 
Create biling alerts to get an email notification when estimated charges on your AWS bill exceed an amount you define (for example, if you exceed the free usage tier). 


How to Interact with the Appliance 


To communicate with the QGS appliance, use the AWS EC2 Connect feature. This is a 
secure and straightforward method of connecting to your instances. It shortens the time 
required to boot and obtain new instances. 


1. Go to your AWS account, select the running instance and click Connect. 
© New Ec2 experience Instances (1/1) into [o Instance state v || actions v | EEDE 
1 © 


Tellus what you tink 
Q 


EC2 Dashboard New 


Events search: -009c49d96daadee48 X| [clear filters 

Tags Name v InstanceID ‘4 Instancestate Y — Instancetype Y Status check Alarm status Availability Zone Y Public IPv4 DNS Y o PubliciPv4.. V  ElasticiP 
Limits = 

Y instances = 

Instances new 


2. Go to EC2 Instance Connect and change the User name to core and click Connect. 


Note: Use the EC2 Instance Connect option to connect your instance if you've enabled the 
Auto-assign public IP while configuring the instance details to assign the public IP to your 
appliances. 


Ec2 > Instances 


Connect to instance into 


ce |-009c49d96daadee4s using any of these options 


EC2 Instance Connect Session Manager SSH client EC2 Serial Console 


Instance ID 
a 
Public IP address 


User name 


© Note: in most cases, the guessed user name Is correct. However, read your AMI usage Instructions to check If 
the AMI owner has changed the default AMI user name. 


= 


all 
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Note: If you want to assign a private IP to your QGS appliances then use the EC2 Serial 
Console option to connect your instance. 


Connect to instance info 
Connect to your instance i-Ocd6959873f494d74 (QGS_P13_sjc01_19_Nov_First_Instance) using any of these options 


EC2 Instance Connect Session Manager SSH client | EC2 Serial Console 


Instance ID Serial port 
i-Ocd6959873f494d74 E ttyso 


(QGS_P13_sjc01_19_Nov_First_Instance) 


3. Once you connect your instance, you are redirected to the appliance console. 


Note: We would recommend you to keep trying to connect, in case it takes longer time to 
connect to your instance. 


4. Register the appliance with Qualys. For detailed steps on registration of the appliance, 
refer to Qualys Gateway Service User Guide. 


How to Launch QGS Instances Using AWS CLI 


The following script can be used to launch one or more QGS instances in the AWS cloud. 
You can use AWS CLI to launch the below command. 


Note: You must have CLI installed on your machine to use AWS CLI to launch and execute 
the below command. 
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Command to Launch QGS Instances in the AWS Cloud 


aws ec2 run-instances \ 
--image-id ami-046alafb413842c91 \ 
--instance-type t3.large \ 
--security-group-ids Sg-O****RRRKRR gg-0%*% kkk KKK KR \ 
--subnet-id Ssubnet—O** KKK KKK KKKKK KK x 
--user-data file://ec2-userdata.yml \ 
--associate-public-ip-address \ 
--count 1 \ 
--block-device-mappings 
"DeviceName=/dev/sdb, Ebs={DeleteOnTermination=True, VolumeSize=256, 
Encrypted=False}' \ 
--tag-specifications 
"ResourceType=instance, Tags=[{Key=Name, Value="Q0GS Appliance"}]' 


Content of ec2-userdata.yml file used in previous command. 
#cloud-config 
write files: 
= owner: root:root 
path: /opt/qualys/cloud.env 
permissions: '0644' 
content: | 
POD SUFFIX="Refer last page to know which POD suffix to use” 


POD Suffixes 


To know the POD suffixes for corresponding PODs, see the Cloud Agent Servers section of 
the Qualys Platform Identification web-page. 
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